Merged in bugfix/anon_after_session_expired (pull request #351)

Don't use anonymous access after access token expires
2026-05-06 15:07:25 +02:00 · 2019-11-18 12:42:05 +00:00
parent 436252b7a9 bf98c59050
commit 1ac39d1355
3 changed files with 57 additions and 5 deletions
--- a/scm-core/src/main/java/sonia/scm/web/filter/AuthenticationFilter.java
+++ b/scm-core/src/main/java/sonia/scm/web/filter/AuthenticationFilter.java
@@ -127,7 +127,7 @@ public class AuthenticationFilter extends HttpFilter
      logger.trace("user is already authenticated");
      processChain(request, response, chain, subject);
    }
-    else if (isAnonymousAccessEnabled())
+    else if (isAnonymousAccessEnabled() && !HttpUtil.isWUIRequest(request))
    {
      logger.trace("anonymous access granted");
      subject.login(new AnonymousToken());
--- a/scm-ui/ui-components/src/apiclient.test.ts
+++ b/scm-ui/ui-components/src/apiclient.test.ts
@@ -1,4 +1,4 @@
-import { apiClient, createUrl } from "./apiclient";
+import { apiClient, createUrl, extractXsrfTokenFromCookie } from "./apiclient";
 import fetchMock from "fetch-mock";
 import { BackendError } from "./errors";

@@ -70,3 +70,22 @@ describe("error handling tests", () => {
    });
  });
 });
+
+describe("extract xsrf token", () => {
+  it("should return undefined if no cookie exists", () => {
+    const token = extractXsrfTokenFromCookie(undefined);
+    expect(token).toBeUndefined();
+  });
+
+  it("should return undefined without X-Bearer-Token exists", () => {
+    const token = extractXsrfTokenFromCookie("a=b; c=d; e=f");
+    expect(token).toBeUndefined();
+  });
+
+  it("should return xsrf token", () => {
+    const cookie =
+      "a=b; X-Bearer-Token=eyJhbGciOiJIUzI1NiJ9.eyJ4c3JmIjoiYjE0NDRmNWEtOWI5Mi00ZDA0LWFkMzMtMTAxYjY3MWQ1YTc0Iiwic3ViIjoic2NtYWRtaW4iLCJqdGkiOiI2RFJpQVphNWwxIiwiaWF0IjoxNTc0MDcyNDQ4LCJleHAiOjE1NzQwNzYwNDgsInNjbS1tYW5hZ2VyLnJlZnJlc2hFeHBpcmF0aW9uIjoxNTc0MTE1NjQ4OTU5LCJzY20tbWFuYWdlci5wYXJlbnRUb2tlbklkIjoiNkRSaUFaYTVsMSJ9.VUJtKeWUn3xtHCEbG51r7ceXZ8CF3cmN8J-eb9EDY_U; c=d";
+    const token = extractXsrfTokenFromCookie(cookie);
+    expect(token).toBe("b1444f5a-9b92-4d04-ad33-101b671d5a74");
+  });
+});
--- a/scm-ui/ui-components/src/apiclient.ts
+++ b/scm-ui/ui-components/src/apiclient.ts
@@ -2,13 +2,46 @@ import { contextPath } from "./urls";
 import { createBackendError, ForbiddenError, isBackendError, UnauthorizedError } from "./errors";
 import { BackendErrorContent } from "./errors";

+const extractXsrfTokenFromJwt = (jwt: string) => {
+  const parts = jwt.split(".");
+  if (parts.length === 3) {
+    return JSON.parse(atob(parts[1])).xsrf;
+  }
+};
+
+// @VisibleForTesting
+export const extractXsrfTokenFromCookie = (cookieString?: string) => {
+  if (cookieString) {
+    const cookies = cookieString.split(";");
+    for (const c of cookies) {
+      const parts = c.trim().split("=");
+      if (parts[0] === "X-Bearer-Token") {
+        return extractXsrfTokenFromJwt(parts[1]);
+      }
+    }
+  }
+};
+
+const extractXsrfToken = () => {
+  return extractXsrfTokenFromCookie(document.cookie);
+};
+
 const applyFetchOptions: (p: RequestInit) => RequestInit = o => {
-  o.credentials = "same-origin";
-  o.headers = {
+  const headers: { [key: string]: string } = {
    Cache: "no-cache",
    // identify the request as ajax request
-    "X-Requested-With": "XMLHttpRequest"
+    "X-Requested-With": "XMLHttpRequest",
+    // identify the web interface
+    "X-SCM-Client": "WUI"
  };
+
+  const xsrf = extractXsrfToken();
+  if (xsrf) {
+    headers["X-XSRF-Token"] = xsrf;
+  }
+
+  o.credentials = "same-origin";
+  o.headers = headers;
  return o;
 };